TCP wrappers enable you to define a set of rules, called access control rules, that define which systems are allowed to access and use the services running on the local machine (that is, the machine on which the TCP wrappers are installed and configured) and which systems are denied access to these services. In addition, TCP wrappers enable you to log which client is using which service at what time, and even for what purpose. The best thing about TCP wrappers, however, is that they can be used to set booby traps for script kiddies. Before you can understand how TCP wrappers work, however, you must understand how Linux machines respond to connections requests.
All requests for connections received by a Linux box are transferred to the Internet daemon, or the inetd. The inetd is the main daemon on a Linux machine, and it receives all connection requests on behalf of all services or daemons running on all port numbers on that machine.
When the intetd receives a connection request, it uses two configuration files to determine what to do next::
Both these files work together and are interlinked.
So you can grasp how the inetd uses these two files to allow remote connections to take place, let's use an example. Suppose a client, X, wants to connect to a server, Y. Here's what happens:
How, then, can you restrict certain clients from accessing your system while allowing others in? This is where TCP wrappers come in. A TCP wrapper acts as a daemon that resdes between a Linux system's inetd and other programs or daemons on that system, such as in.ftpd, in.telnetd, and so on. Instead of calling programs in a system directly, as in step 3 of the preceding nubered list, inetd calls the TCP wrapper. The wrapper collects the source IP from the packet and accordingly allows or denies the connection, depending on the rules defined in the TCP wrapper. Irrespective of whether the connection is allowed or denied, the wrapper logs the connection request.
All requests for connections received by a Linux box are transferred to the Internet daemon, or the inetd. The inetd is the main daemon on a Linux machine, and it receives all connection requests on behalf of all services or daemons running on all port numbers on that machine.
When the intetd receives a connection request, it uses two configuration files to determine what to do next::
- /etc/services. This file contains the names of the various services on the Linux box and the corresponding port numbers on which these services run. It is used by the inetd to figure out what service runs on what port number.
- /etc/inetd.conf. This file contains the names of the various services on the Linux box and the corresponding daemons or programs providing those services. It is used by inetd to figure out which program or daemon to call on when there is a request for a connection to a particular service.
Both these files work together and are interlinked.
So you can grasp how the inetd uses these two files to allow remote connections to take place, let's use an example. Suppose a client, X, wants to connect to a server, Y. Here's what happens:
- X sends Y a packets containing the port number to which it wants to connect (in this case, 23, or the telnet port) and other information required to initiate a TCP connection.
- In response, the inetd at Y searches the /etc/services file for the service name running on port 23(telnet).inetd them contacts the /etc/inetd.conf file and asks for the name of the daemon or program that runs the telnet service (in this case, in.telnetd).
- Finally, inetd runs in.telnetd, concluding its role in that particular connection, and starts listening for other connection requests.
How, then, can you restrict certain clients from accessing your system while allowing others in? This is where TCP wrappers come in. A TCP wrapper acts as a daemon that resdes between a Linux system's inetd and other programs or daemons on that system, such as in.ftpd, in.telnetd, and so on. Instead of calling programs in a system directly, as in step 3 of the preceding nubered list, inetd calls the TCP wrapper. The wrapper collects the source IP from the packet and accordingly allows or denies the connection, depending on the rules defined in the TCP wrapper. Irrespective of whether the connection is allowed or denied, the wrapper logs the connection request.
